On 2 April 2014 22:01, Tom Yu <[email protected]> wrote: > Wang Shouhua <[email protected]> writes: > >> On 2 April 2014 21:46, Benjamin Kaduk <[email protected]> wrote: >>> On Wed, 2 Apr 2014, Wang Shouhua wrote: >>> >>>> Is there such an utility which can issue a "ping" (null command) to >>>> the kdc to see if it is still responding? >>> >>> >>> I'm not aware of a dedicated utility. However, the KDC is basically a >>> stateless UDP service, so recording a live transaction and replaying an >>> input packet is expected to yield some sort of response packet. Doing this >>> periodically allows for a very primitive "liveness check" which can be used >>> in some monitoring setups. Of course, if one wants to monitor that the KDC >>> is actually functioning properly and not just spewing error packets, more >>> effort is required. >> >> Does the Kerberos5 core protocol have a 'null' operation? > > It does not, unless you count correctly formatted yet invalid KDC-REQs > that can elicit KRB-ERROR messages. If you don't count that, could > you describe why having a null operation is important for your > purposes?
To see if the KDC is still 'alive and kicking'. Apparently some students-as-admins here spend the night trying to find a problem in our Kerberos setup the whole night and they are very exhausted. The problem turned out to be a switch/firewall problem which caused the KDC to stop processing requests after some time, something which could have been diagnosed much earlier using a dedicated utility. Wang -- Wang Shouhua - [email protected] 中华人民共和国科学技术部 - HTTP://WWW.MOST.GOV.CN
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
